CVE-2023-39375 - Vulnerability Details - OpenCVE

Description

SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges

Published: 2023-09-26

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SiberianCMS

SiberianCMS

unaffected

Version	Status	Constraints
`versions 4., 5.`	affected	≤ upgrade to version 4.20.44 or 5.0.4

Configuration 1 [-]

OR	cpe:2.3:a:siberiancms:siberiancms::::::::
	cpe:2.3:a:siberiancms:siberiancms::::::::

No data.

No data available yet.

Remediation

Vendor Solution

upgrade to version 4.20.44 or 5.0.4

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-43100	SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00146.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.gov.il/en/Departments/faq/cve_advisories

History

Tue, 24 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Siberiancms Siberiancms

MITRE

Status: PUBLISHED

Assigner: INCD

Published: 2023-09-26T09:15:01.807Z

Updated: 2024-09-24T13:24:36.817Z

Reserved: 2023-07-30T10:41:13.579Z

Link: CVE-2023-39375

Vulnrichment

Updated: 2024-08-02T18:10:20.255Z

NVD

Status : Modified

Published: 2023-09-27T15:18:55.883

Modified: 2024-11-21T08:15:16.390

Link: CVE-2023-39375

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39375", "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "state": "PUBLISHED", "assignerShortName": "INCD", "dateReserved": "2023-07-30T10:41:13.579Z", "datePublished": "2023-09-26T09:15:01.807Z", "dateUpdated": "2024-09-24T13:24:36.817Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SiberianCMS", "vendor": "SiberianCMS", "versions": [{"lessThanOrEqual": "upgrade to version 4.20.44 or 5.0.4", "status": "affected", "version": "versions 4.*, 5.*", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Eddie Zaltsman (Ultra-Red), Yotam Zaltsman (Sling)"}], "datePublic": "2023-09-26T09:07:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges</span>\n\n"}], "value": "\nSiberianCMS - CWE-274: Improper Handling of Insufficient Privileges\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-274", "description": "CWE-274 Improper Handling of Insufficient Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD", "dateUpdated": "2023-09-26T09:15:01.807Z"}, "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">upgrade to version 4.20.44 or 5.0.4</span>\n\n<br>"}], "value": "\nupgrade to version 4.20.44 or 5.0.4\n\n\n"}], "source": {"advisory": "ILVN-2023-0132", "discovery": "UNKNOWN"}, "title": "SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:10:20.255Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T13:23:48.938097Z", "id": "CVE-2023-39375", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T13:24:36.817Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39375", "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "state": "PUBLISHED", "assignerShortName": "INCD", "dateReserved": "2023-07-30T10:41:13.579Z", "datePublished": "2023-09-26T09:15:01.807Z", "dateUpdated": "2024-09-24T13:24:36.817Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SiberianCMS", "vendor": "SiberianCMS", "versions": [{"lessThanOrEqual": "upgrade to version 4.20.44 or 5.0.4", "status": "affected", "version": "versions 4.*, 5.*", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Eddie Zaltsman (Ultra-Red), Yotam Zaltsman (Sling)"}], "datePublic": "2023-09-26T09:07:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges</span>\n\n"}], "value": "\nSiberianCMS - CWE-274: Improper Handling of Insufficient Privileges\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-274", "description": "CWE-274 Improper Handling of Insufficient Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD", "dateUpdated": "2023-09-26T09:15:01.807Z"}, "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">upgrade to version 4.20.44 or 5.0.4</span>\n\n<br>"}], "value": "\nupgrade to version 4.20.44 or 5.0.4\n\n\n"}], "source": {"advisory": "ILVN-2023-0132", "discovery": "UNKNOWN"}, "title": "SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:10:20.255Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-24T13:23:48.938097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T13:23:53.665Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siberiancms:siberiancms:*:*:*:*:*:*:*:*", "matchCriteriaId": "49AF11C1-33B9-409D-8665-275A77A3385B", "versionEndExcluding": "4.20.44", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:siberiancms:siberiancms:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A68FF0F-29D9-4D78-9039-C57C1DD77CFE", "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nSiberianCMS - CWE-274: Improper Handling of Insufficient Privileges\n\n"}, {"lang": "es", "value": "SiberianCMS - CWE-274: Manejo Inadecuado de Privilegios Insuficientes"}], "id": "CVE-2023-39375", "lastModified": "2024-11-21T08:15:16.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cna@cyber.gov.il", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-27T15:18:55.883", "references": [{"source": "cna@cyber.gov.il", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-274"}], "source": "cna@cyber.gov.il", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}